From 8ed303d5bbf97c8e483e94ff38e24dee5ca2a7ee Mon Sep 17 00:00:00 2001
From: Naomi Zheng <naomizheng@microsoft.com>
Date: Wed, 3 Jun 2026 21:54:42 -0400
Subject: [PATCH] Pin vulnerable transitive NuGet packages (SFI-ES5.2)

- Microsoft.Bcl.Memory -> 10.0.4
- System.Net.Http      -> 4.3.4
- System.Text.RegularExpressions -> 4.3.1

Added as direct <PackageReference> overrides in the consuming csprojs.
CPM not introduced. Verified via dotnet restore/build/test against
nuget.org (ADO feed unreachable from build env).

S360-Run-Id: 189d082f-67ad-401e-b203-788bd7c886cf
S360-KPI: SFI-ES5.2
S360-Skill: dependabot:dependency-update-orchestrator
S360-Arm: dedicated_skill
---
 src/Shared.CLI/Shared.CLI.csproj                   | 4 ++++
 src/Shared.Lib.Tests/Shared.Lib.Tests.csproj       | 3 +++
 src/Shared/Shared.Lib.csproj                       | 2 ++
 src/oss-find-squats-lib/oss-find-squats-lib.csproj | 5 +++++
 src/oss-gadget-cli/oss-gadget-cli.csproj           | 6 ++++++
 src/oss-tests/oss-tests.csproj                     | 4 ++++
 6 files changed, 24 insertions(+)

diff --git a/src/Shared.CLI/Shared.CLI.csproj b/src/Shared.CLI/Shared.CLI.csproj
index b20dc44c..90d30cc7 100644
--- a/src/Shared.CLI/Shared.CLI.csproj
+++ b/src/Shared.CLI/Shared.CLI.csproj
@@ -96,6 +96,10 @@
     <PackageReference Include="SemanticVersioning" Version="3.0.0" />
     <PackageReference Include="System.Console" Version="4.3.1" />
     <PackageReference Include="Whois" Version="3.0.1" />
+    <!-- SFI-ES5.2: pin vulnerable transitive -->
+    <PackageReference Include="Microsoft.Bcl.Memory" Version="10.0.4" />
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
+    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/Shared.Lib.Tests/Shared.Lib.Tests.csproj b/src/Shared.Lib.Tests/Shared.Lib.Tests.csproj
index 42dbe4a6..93866278 100644
--- a/src/Shared.Lib.Tests/Shared.Lib.Tests.csproj
+++ b/src/Shared.Lib.Tests/Shared.Lib.Tests.csproj
@@ -28,6 +28,9 @@
 		  <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
 		  <PrivateAssets>all</PrivateAssets>
 	  </PackageReference>
+	  <!-- SFI-ES5.2: pin vulnerable transitive -->
+	  <PackageReference Include="System.Net.Http" Version="4.3.4" />
+	  <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/Shared/Shared.Lib.csproj b/src/Shared/Shared.Lib.csproj
index c9b6a1e7..d9050ddb 100644
--- a/src/Shared/Shared.Lib.csproj
+++ b/src/Shared/Shared.Lib.csproj
@@ -51,6 +51,8 @@
         <PackageReference Include="SemanticVersioning" Version="3.0.0" />
         <PackageReference Include="System.Console" Version="4.3.1" />
         <PackageReference Include="System.Linq.Async" Version="7.0.0" />
+        <!-- SFI-ES5.2: pin vulnerable transitive -->
+        <PackageReference Include="Microsoft.Bcl.Memory" Version="10.0.4" />
     </ItemGroup>
 
     <ItemGroup>
diff --git a/src/oss-find-squats-lib/oss-find-squats-lib.csproj b/src/oss-find-squats-lib/oss-find-squats-lib.csproj
index 5b790e8d..06bfd400 100644
--- a/src/oss-find-squats-lib/oss-find-squats-lib.csproj
+++ b/src/oss-find-squats-lib/oss-find-squats-lib.csproj
@@ -32,6 +32,11 @@
     <ProjectReference Include="..\Shared\Shared.Lib.csproj" />
   </ItemGroup>
 
+  <ItemGroup>
+    <!-- SFI-ES5.2: pin vulnerable transitive -->
+    <PackageReference Include="Microsoft.Bcl.Memory" Version="10.0.4" />
+  </ItemGroup>
+
   <ItemGroup>
     <None Include="..\..\LICENSE.txt" Pack="true" PackagePath="" />
     <None Include="..\..\icon-128.png" Pack="true" PackagePath="" />
diff --git a/src/oss-gadget-cli/oss-gadget-cli.csproj b/src/oss-gadget-cli/oss-gadget-cli.csproj
index 6f5386a2..19dbdb50 100644
--- a/src/oss-gadget-cli/oss-gadget-cli.csproj
+++ b/src/oss-gadget-cli/oss-gadget-cli.csproj
@@ -31,6 +31,12 @@
       <ProjectReference Include="..\Shared.CLI\Shared.CLI.csproj" />
     </ItemGroup>
 
+    <ItemGroup>
+      <!-- SFI-ES5.2: pin vulnerable transitive -->
+      <PackageReference Include="System.Net.Http" Version="4.3.4" />
+      <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
+    </ItemGroup>
+
     <ItemGroup>
       <None Include="..\..\LICENSE.txt" Pack="true" PackagePath="" />
       <None Include="..\..\icon-128.png" Pack="true" PackagePath="" />
diff --git a/src/oss-tests/oss-tests.csproj b/src/oss-tests/oss-tests.csproj
index 52259f50..72a321c3 100644
--- a/src/oss-tests/oss-tests.csproj
+++ b/src/oss-tests/oss-tests.csproj
@@ -25,6 +25,10 @@
 	    <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
 		<PrivateAssets>all</PrivateAssets>
 	</PackageReference>
+    <!-- SFI-ES5.2: pin vulnerable transitive -->
+    <PackageReference Include="Microsoft.Bcl.Memory" Version="10.0.4" />
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
+    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
   </ItemGroup>
 
   <ItemGroup>